Bug 160890 - Squid fails to open connection on port 21 (FTP) in SELinux targeted mode
Squid fails to open connection on port 21 (FTP) in SELinux targeted mode
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-06-18 00:20 EDT by Bojan Smojver
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-06-28 20:12:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bojan Smojver 2005-06-18 00:20:08 EDT
Description of problem:
Squid can't open connections to port 21 (and some other ports). This prevents
browsing of FTP sites.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.18-12 (i.e. FC4 updates/testing)

How reproducible:

Steps to Reproduce:
1. Run squid under targeted policy.
2. Attempt to open FTP site.
Actual results:
Connection refused.

Expected results:
Should work and it does when SELinux is disabled.

Additional info:
Jun 18 14:09:30 beauty kernel: audit(1119067770.693:65): avc:  denied  { name_co
nnect } for  pid=2255 comm="squid" dest=21 scontext=system_u:system_r:squid_t tc
ontext=system_u:object_r:ftp_port_t tclass=tcp_socket
Comment 1 Daniel Walsh 2005-06-18 06:23:06 EDT
If you set the boolean squid_connect_any

It should work, although ftp_port_t should probably be added to squid for default.
Comment 2 Bojan Smojver 2005-06-18 08:41:40 EDT
OK, I'll try that and report back. It would make sense to make it a default
though, just like you said.

I'm also having trouble with dovecot since moving to FC4, as reported in 158583.
The dovecot_disable_trans boolean wouldn't have anything to do with tcp ports,
Comment 3 Bojan Smojver 2005-06-28 20:12:42 EDT
This appears to be fixed in selinux-policy-targeted-1.23.18-17. One still does
need to enable squid_connect_any if passive FTP is being used, but that seems
OK, given that those ports cannot be predicted.

Note You need to log in before you can comment on or make changes to this bug.